Foreman appears to handle FQDNs with a trailing dot inconstantly in it's validation, leading to at least two problems, one major (unable to login on new installation):
1) When the admin account is created on a host with a trailing dot in dns, the email address gets set to root@fqdn.com. . The trailing dot causes the password setting (or a rake permissions:reset) to fail with "Mail is invalid". Editing the db to change the email address to one without a trailing dot allows things to work properly.
2) Foreman and foreman-proxy setup their reference to the host's ssl certificate differently. In my case, foreman had "fqdn.com.pem", and foreman-proxy had "fqdn.com..pem". The certificates & keys were actually created as "fqdn.com..pem". I moved them to "fqdn.com.pem" and updated foreman-proxy's settings appropriately to resolve the problem.